Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Spammer’s Arrest Puts End to Kelihos Botnet

Notorious spammer Peter Levashov was arrested over the weekend; Levashov is the alleged botmaster behind the Kelihos botnet.

The alleged Russian botmaster behind the Kelihos botnet was arrested while on vacation in Spain, putting an end to a seven-year cybercrime operation that foisted hundreds of millions of spam messages on consumers, as well as a dangerous array of banking malware and ransomware.

Pyotr Levashov, also known as Peter Severa and a handful of other aliases, was arrested on Sunday by authorities in Barcelona. The U.S. Department of Justice yesterday released a statement acknowledging international cooperation between U.S. and foreign authorities, as well as the Shadow Server Foundation and Crowdstrike, in making the arrest and seizing infrastructure used to support Kelihos and Levashov’s operations.

“The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives,” said Acting Assistant Attorney General Kenneth A. Blanco.

Kelihos surfaced in 2010 after the takedown of the Storm botnet. For years, it had targeted Windows machines with nonstop spam pushing counterfeit drugs, pump-and-dump stock scams and other fraudulent schemes. It was also proficient is spreading banking malware such as Vawtrak and Kronos, and a number of different ransomware families.

The DoJ said it obtained a Rule 41 warrant to facilitate the Kelihos takedown.

“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”

The DoJ said it began blocking Kelihos domains on Saturday, less than 24 hours before Levashov’s arrest.

Levashov, of St. Petersburg, is No. 7 of Spamhaus’ list of the worst spammers, and is alleged to have been partners with American spammer Alan Ralsky.

Kelihos has survived a number of past takedowns, including a live sinkholing of thousands of bots that happened during the 2013 RSA Conference conducted by former Kaspersky Lab researcher Tillmann Werner. Werner and Stefan Ortloff had previously been part of previous Kelihos shutdowns in 2011 and 2012 and published a post-mortem on the shutdowns in 2013 that showed a steady downturn in new Kelihos bots.

The botnet resurfaced time and time again and spread malware that harvested credentials from infected computers, including usernames and passwords for online banking accounts.

The DoJ said it obtained civil and criminal court orders from the District of Alaska that granted authorities permission to redirect command and control requests from bots to servers controlled by law enforcement. They were also entitled to block any commands sent by the botmaster in attempt to regain control of his network and bots.

“The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server,” the DoJ said. “This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.